Capita has warned the pension schemes of Marks and Spencer, Diageo, Unilever and Rothesay that their members’ personal details may have been stolen by hackers during a cyber attack on the UK outsourcing contractor.
The pension funds were among hundreds of private sector pension schemes that used Capita to support their pension administration services. Capita discovered a cyber incident in March and confirmed in April that it had been the victim of a hack that affected some customers.
The M&S pension scheme said on Thursday that the attack may have affected the security of personal data for a “large proportion” of the scheme’s members, including the “majority” of pensioners who worked at the retailer.
It added that “if personal data is accessed, it can be used for fraud, identity theft or to send malicious emails”.
“Capita cannot be certain that this data was accessed, but we believe it is appropriate to act as if this was the case and warn affected members of the potential risks,” the pension scheme said in a statement published on its website.
According to the 2021 accounts, the M&S pension scheme had 106,000 members with around 53,000 of those pensioners. M&S pension scheme trustees declined to comment beyond the website statement.
Meanwhile, Diageo said some of its 32,000 pensioners were affected by the incident. The drinks maker said it was still working with Capita to establish the full impact of the hack.
Some members of the Diageo pension scheme are now being offered by Capita a free membership to a service that helps detect possible misuse of personal data.
Diageo said: “We have written to these members to reassure them that there has been no impact on the Diageo pension scheme and that their benefits are safe.” The potential data breach surrounding the Diageo pension scheme was first reported by The Scotsman .
The reports from Capita’s private sector clients come almost two months after the outsourcer first discovered a cyber incident. The contracting authority initially had said last month that there was “no evidence” to suggest that customer data had been compromised by the hack.
On Thursday, USS, the UK’s largest private sector pension scheme, said it would offer free access to an identity protection service after members’ data was put at risk by the Capita hack. USS is a customer of Capita, which last week announced that the data of 470,000 members was at risk.
“We will be writing to (members) as soon as possible to outline how (the identity protection service) will work,” USS said in a statement.
USS declined to comment on how the ID theft protection service would be funded. But the company understood that this would not be paid for from members’ funds.
Aaron Le Marquer, head of policyholder disputes at UK law firm Stewarts, said it was highly likely that other affected pension schemes or other financial institutions whose customer data was at risk of being compromised by the Capita breach would offer similar protect its members or customers.
They are likely to “seek to recover such costs from Capita, raising the question of whether Capita is covered for such liabilities to third parties under the terms of its cyber insurance”, he warned.
USS declined to comment on whether it would retain Capita’s services.
Leave a Reply